New banking malware 'Kronos' advertised on underground forums

A new Trojan program designed to steal log-in credentials and other financial information from online banking websites is being advertised to cybercriminal groups on the underground market.

The new malware is called Kronos, and based on a recent ad seen in a Russian cybercriminal forum it can steal credentials from browsing sessions in Internet Explorer, Mozilla Firefox and Google Chrome by using form-grabbing and HTML content injection techniques, said Etay Maor, a senior fraud prevention strategist at IBM subsidiary Trusteer, Friday in a blog post.

According to the ad, the new threat is compatible with content-injection scripts -- also known as Web injects -- developed for Zeus, a popular online banking Trojan that's no longer in development. This design decision is intended to allow cybercriminals who still use Zeus variants in their operations to easily switch to Kronos.

In addition to the information-theft capabilities, the new Trojan has a user-mode rootkit component for 32-bit and 64-bit Windows systems that can protect its processes from competing malware. Its creator also claims that Kronos can evade antivirus detection and sandbox environments typically used for malware analysis.

The new cybercriminal tool is being advertised for $7,000, a price that includes the promise of continued development, free upgrades and bug fixes.

"Most malware today is sold in the low hundreds of dollars, sometimes even offered for free due to several malware source code leaks," Maor said. "It remains to be seen how popular Kronos will be within the cyber crime community," he said.

The premium price suggests that Kronos is aimed to be a replacement for former commercial crimeware toolkits like Zeus, Carberp and SpyEye, whose development has been discontinued or whose source code has been leaked in recent years.

According to researchers from Kaspersky Lab, who have also seen the Kronos advertisements on several underground forums last week, the new online banking threat appears to be based on the source code of Carberp.

The screen shots posted by Kronos' author demonstrate fragments of code injected into other processes and the code looks pretty similar to Carberp's, said Dmitry Tarakanov, senior security researcher at Kaspersky Lab, Monday via email.

Carberp has also been sold to cybercriminals in the past at a premium price, but the malware's source code was leaked online last year, possibly after internal disputes between its creators.

Trusteer and Kaspersky Lab have yet to obtain a sample of Kronos for analysis.

The $7,000 price is not a sum that would scare off serious cybercriminals if the offer is solid, Tarakanov said. "Professional groups can make hundreds of thousands [of dollars], so $7,000 is more than acceptable for them."

Without third-party analysis the claims made by Kronos' creator should be viewed with skepticism, said Chris Boyd, malware intelligence analyst at Malwarebytes, via email. "In particular, sandbox bypassing is a very broad claim -- there are multiple sandboxes and they all have many ways to defeat evasive malware. Getting around one could well be doable, but all of them? It's probably unlikely, and if it could do that one suspects it would fetch a much higher asking price."

The promise of continued support and bug fixes might be one of the most attractive features of Kronos, according to Tim Erlin, director of security and risk at Tripwire.

"Anyone running a business requires stable and secure software to do so, and that includes cybercriminals," Erlin said. "Being new, and therefore harder to detect, is [also] a feature in and of itself."

On Friday, security researchers from CSIS Security Group in Denmark reported that the source code of yet another online banking Trojan called Tinba was leaked on underground forums.

"The cybercriminal underground is a market," Tarakanov said. "Source code leakages and botnet shutdowns have been happening constantly but we see virus writers from time to time come up with new (or based on old but modified) banking malware. It proves that the market wants such tools."

Copyright 2010 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.